With the assumption of an ongoing global cyber arms race, Western governments signed an agreement to limit the sharing and selling of dangerous cyber technologies.  David Livingstone notes, “[Cyber security technology] is a lot like the arms race.  What you want to do is slow down how fast your foe develops equivalent technologies.”

This is an important and needed step in the cyber discourse and I look forward to reading the details of how exactly these governments plan to limit the transfer of cyber technologies.  The process might not be as difficult as one would expect given that computer code does tend to have specific markers that can help identify the source.

There are three important points to note with this development.  One is the assumption of a cyber arms race.  While I do think this might be ongoing, I also do think it is an open empirical question.  Just because you think a process is happening does not mean that it is actually a reality.  Our project coding cyber conflicts started with the assumption that there was at least an evident amount of cyber conflict, but in the end we found very little evidence of real cyber conflicts.

Two, we need to be very clear on what exactly an arms race is and what dangerous arming processes are.  The mere development of cyber technologies might not be evidence of this process.  It is just as likely that this is a normal process in line with technological developments.  Arms races are meant to signify concurrent and rapidly escalating arming processes.  There should be a race of sorts.  Instead we might be witnessing evidence of the basic acquisition of cyber technologies that are not arms races at all.  Furthermore, we must be diligent in dissecting the difference between defensive and offensive technologies, and which tactic governments are concentrating their resources towards.

Finally, this is an important step that seeks to limit the dangers of cyber technologies.  Often the danger is of our own making. I welcome the conscious limitation of cyber proliferation and recognition that transferring cyber technologies might be a dangerous process.  As it is often stated, security begins at home.  States developing offensive cyber technologies must seek to consciously limit the ability of these weapons to proliferate and fall into the wrong hands.  These states must also be aware of the dangers of the development of these technologies and the likelihood of triggering the security dilemma.  On top of this, private cyber security firms might be the most dangerous actors in this process as they are not limited by the norms that might inhibit state action.

Luckily, this all falls in line with my next cyber security research project (with Ryan Maness), to collect as much data as possible on cyber arms spending, transfers, and units organized by governments and also theorize on what exactly a cyber arms race is and how it comes about.  Only with information can we hope to be aware of the nature of the contours of the cyber security debate.